Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 4 subscribers
  • Views 1993 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SIP/Multipath - unexpected behavior

_Tobias_

Hey Community,

 

a few days ago, we switched to IP phone with a new SIP Gateway, and now we have a few very strange things with the UTM (SG330, 9.702). 

We have multiple external interfaces, and we wanted the SIP gateway to communicate with the provider via our second line, let's call it eth2. So we set a Multipath rule: From SIP Gateway to the ISP network (/27) with all services, use eth2 (we disabled "Skip rule on interface error" since our external partner told us this would result in splitting RTP traffic through different interfaces and cause more problems that we already have). 
SIP protocol support is enabled - although our external partner said we should not do it, since our ISP sais to disable "SIP ALG" - but is the SIP protocol support the same thing as SIP ALG? At least we have no connection breakups with this enabled, unlike he told us...

Now, when I check the Sophos via ssh, I see in iftop that the traffic to the ISP is only using eth2, and not our main line eth1. If I do a tcpdump, I see all packets to the ISP using eth2. 

But then we see a lot of drops in the firewall, about every 6 seconds and only while calls are open: ISP_Net:highport -> eth1:configured RTP ports. this is odd, since all Trafic should use eth2. So we call the ISP, and they tell us in all there logs there is no occurence of our eth2 IP - every traffic is coming from and going to eth1. 

So tcpdump and iftop tell me, that all traffic is using eth2 like we set in the multipath rule, but ISP tells me they only see eth1?? How can that be?

 

I already tried to set a masquerading rule for the SIP gateway, but the every-6-seconds-RTP packets still come to eth1. I then added a DNAT rule for these dropped packets, at least now they come through.

Any ideas what is going on here?

 

Thanks in advance!

 

Regards,

 

Tobias



This thread was automatically locked due to age.
  • 0

    Hallo Tobias,

    Please show a relevant drop line from the full Firewall log file.  If you prefer, obfuscate IPs like 84.XX.YY.121, 10.X.Y.100, 192.168.X.200 and 172.2X.Y.51.  That lets us see immediately which IPs are local and which are identical or just in the same subnet.

    Was there any problem in VoIP calls that was solved by the DNAT?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0

    After adding a 2nd internet line, I had some difficulties with Masquerading/Multipath rule and an old forgotten SNAT rule for some outgoing  traffic.

    Have a look with tcpdump on your eth2 and check that there are no outgoing packets with the source IP of eth1. As UDP is stateless, your provider would sent the answer packets to the wrong interface

  • 0 in reply to BAlfson

    Hey everyone,

    at first here the lines from the Packetfilter Log.
    Lines like this, we see all day without active calls, they make no problem:

    2020:04:22-00:55:13 gate-2 ulogd[20267]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="15" initf="eth0" outitf="eth6" srcmac="xxx" dstmac="xxx" srcip="LOCAL_SIP_GATEWAY" dstip="EXTERNAL_PROVIDER" proto="17" length="587" tos="0x00" prec="0xa0" ttl="63" srcport="5060" dstport="5060" 

    Then, when a call is active, we get these lines:

    2020:04:23-08:14:16 gate-2 ulogd[20267]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="15" initf="eth0" outitf="eth1" srcmac="xxx" dstmac="xxx" srcip="LOCAL_SIP_GATEWAY" dstip="EXTERNAL_PROVIDER" proto="17" length="200" tos="0x00" prec="0xa0" ttl="126" srcport="6000" dstport="21528" 
    2020:04:23-08:20:20 gate-2 ulogd[20267]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth6" srcmac="" dstmac="" srcip="EXTERNAL_PROVIDER" dstip="EXTERNAL_IP_SOPHOS" proto="17" length="200" tos="0x00" prec="0x00" ttl="57" srcport="15322" dstport="6000" 

     

    Strange thing is, now that look into the logs, it seems that the requests and responses are minutes away from each other. When I checked the live log during calls, I saw that there ware outgoing packets to the provider from our SIP Gateway, and the responses were dropped directly after.

    What we did solve for now is that the traffic was going out through eth1 and coming back on eth2 - by rebooting the UTM. All rules were set but obviously ignored, until we rebooted, now the responses come on eth1 as expected. But they would still bed dropped by the default firewall rule without the DNAT.

    With the DNAT rule, our major problems seem to be solved - we still have minor issues (some calls break up, voice breaks up in the middle of the call, bad quality), but only with very few calls, so I am not even sure that the problem is at our site.


     You say UDP is stateless - but I guess that the packet inspection still is statefull with udp? But it looks infact as if the packets are either not part of the same transmission or Sophos has a problem with the statefull packet inspection.

    Thanks everyone for your help and input!

     

    Regards,

     

    Tobias

  • 0 in reply to _Tobias_

    Please obfuscate IPs like 84.XX.YY.121, 10.X.Y.100, 192.168.X.200 and 172.2X.Y.51.  That lets us see immediately which IPs are local and which are identical or just in the same subnet.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML